ESP8266 vulnerability, how to check?

[BosseB]

I don't know if this question belongs here or in the programming subforum, but I found it to be closest to here...

What I would like to know is if there has been some security audit into the library code used by projects for the ESP8266 modules?
I just read a pretty alarming article of IoT devices used by hackers to wreak havoc on the Internet.
And what is an ESP-xxx device if not an IoT gadget?
So can someone shed some insight into the safety of the libraries one use when a project is programmed?
Has the library code been cleaned or at least audited for back-doors?
Can we safely use the thing we create using the Arduino framework and WiFi devices like the ESP8266 based ones?

[Riva]

Probably no audits or pen testing performed but the Arduino library code is open source so probably hundreds/thousands of people have skimmed through the code and would probably notice something unsavoury.

I think the big problem with a lot of IoT devices is they don't use encryption for the data so details like user names & passwords can end up being transmitted as plain text that is easy for a hacker to capture and use.
Pick a MCU with built in hardware encryption and turn it on or ensure you use library code that encrypts your data traffic.

[BosseB]

I'm not really worried about eavesdropping on my data (temp and humidity every 2 hours). It is being posted to a PHP script on my site, which does not use any database functionality either.

But I would not want my device to be hijacked and participate in DDoS attacks....
I have seen that Expressif released a vulnerability fix for WiFi VPA2 authentication. Apparently it was added into library 2.4.0 and I am running 2.4.1, so I might be protected from that at least.

[Riva]

If your only posting to a website and not acting as a web server to receive commands/data then that will help reduce the risk of the ESP being hacked.
I have 3x ESP8266's connected to my home wifi but they only post data to my local RPi server using MQTT. The RPi then posts the data up to cloud based dashboards using JSON or MQTT and receives data using ASCII strings (via Dweet.io). This limits potential damage from hackers as the data being passed is isolated through MQTT and is in effect just simple strings so easy to parse for out of bounds values like embedded hack code.

No system is hack proof but you can do a lot to limit the possible attack surface to the point it's an acceptable risk to use online. An ESP is probably to lower level of technology to be easily hackable to exploit other systems compared to the security cam botnets you probably read about that use Linux.

[BosseB]

Good idea about the RPi!
I have a number of them running here at home and I also have an Ubuntu Server 16.04-3 running Apache (it is used for two purposes: OpenVPN server to reach my home LAN from outside and as a backup SVN server via svnsync).
I could use either of these as a middleman for the data to be sent to the external webserver.
The reason I send data to the webserver is that I have rebuilt the roof of my house and I want to monitor temp/humidity up there. So I have created his ESP-07S based monitor which can handle up to 4 different AM2302 sensors.

The sensors are in place and the controller is built and programmed. But unfortunately I fell off a ladder 6 weeks ago while inspecting the roof construction progress so now I cannot climb up and make the final connections...
I hope I will be OK in a month or so. Meanwhile the controller sits on my desk and monitors the study temperature....

[Riva]

I use Wemos D1 Mini's with either SHT30 or BME280 sensors connected to monitor room contitions.
I also have an ESP32 with built in LoRa module that I use as a gateway for some LoRa32u4 modules with BME280 & LDR's. I'm testing them for battery life but will eventually deploy them outside where WiFi does not reach to monitor weather conditions and may also put one in the car to monitor it's cabin climate when it's parked nearby so I know if it needs defrosting in the winter.